Making IDS Cool Again

Over the years, intrusion detection systems (IDS) have fallen off the radar for most security organizations. They seem about as relevant to today as pagers. This view is largely tied to the perception that IDS has been subsumed by intrusion prevention systems (IPS), which in turn has been subsumed by next-generation firewalls and UTMs.

This view has been largely confirmed by IDS/IPS vendors who focus almost exclusively on improving their IPS features and treating IDS as a deployment option in their IPS product portfolio.

Today, the lack of innovation in intrusion detection is coming home to roost. Modern attackers are far more sophisticated and increasingly successful at infiltrating a target network. Intrusions are increasing and harder to detect.

It has become very clear that intrusion detection and intrusion prevention are not simply deployment options of the same technology. They are in fact separate disciplines with unique requirements, goals and roles in the security stack.

The when and the where

The most obvious difference between modern IDS and IPS is that they address different phases of an attack. Intrusion prevention is all about keeping threats out of the network by detecting the moment of infection or initial compromise. IPS scans traffic for thousands of vulnerability exploits, known malicious domains and other harbingers of attack.

Conversely, intrusion detection are logically focused on the phases of attack that come after the infection. The very presence of an intrusion means that a compromise has already occurred, and security needs to look for different things to detect the intrusion.

Instead of searching for exploits, the game has shifted to finding signs of internal reconnaissance, malware spreading internally, signs that user credentials have been compromised, or that data is being harvested. At a fundamental level, modern intrusion detection must detect very different things than IPS.

These signs show up in different physical places. The job of keeping threats out makes IPS well suited for deployment at the boundary between the internal network and the Internet. While the perimeter is a logical place for prevention, the long tail of an attack plays out inside the network as well.

Spying, spreading, and stealing get done on the inside, and this is where IDS must be deployed. Although IDS is typically deployed deep inside the network, it’s important to make sure that it looks in the right places and for the right signs of threats. Failing in either case means you’re unlikely to find real threats.

When speed is king and when speed can kill

In addition to looking in the right place at the right time, IDS is in desperate need of a new brain. While IPS has gotten faster and relies on more types of signatures, the core detection methodology has remained stagnant.

For decades, signatures were the dominant detection method because they’re fast and adapt to finding a variety of malicious indicators. Using short character strings, signatures can find exploits, malicious domains, IP addresses, bad user agents, and countless other malicious payloads.

And while the weaknesses of signatures are widely known, there’s a good reason that they remain the basis of the IPS brain – speed. If you’re going to prevent a threat, then you have to make decisions very quickly.

As IPS was deployed in-line and integrated into UTMs and firewalls, decisions about good and evil had to be made instantly – there’s little time for IPS to think. Signatures must be fast and consume minimal memory, leaving scant room for context.

Modern intrusion detection is of no use with these types of restrictions. Instead of following the directive of in-line network devices, IDS must follow the directive of what is best for detecting threats.

Today’s cyber attacks are long, multi-step operations that evolve over time and evolve over multiple devices. Isolated events that appear benign can only be revealed as malicious when they are viewed in a temporal and network context.

This necessitates new detection methodologies and approaches. Although there are no silver bullets, a modern and effective IDS must have the flexibility to develop and use a wide variety of detection strategies without being married to just one approach.

Despite the industry’s overuse of the term “next-generation,” it’s clear that IDS has to take a giant step forward. Instead of being thought of as a defanged version of IPS, IDS must become the superset for all detection methods. It’s the only way to ensure that we have the brain to power the enforcement brawn of IPS.

Wade Williamson is Director of Product Marketing at Vectra Networks. Prior to joining Vectra, he was a Senior Threat Researcher at Shape Security. He has extensive industry experience in intrusion prevention, malware analysis, and secure mobility. He has extensive speaking experience having delivered the keynote for the EICAR malware conference and led the Malware Researcher Peer Discussion at RSA. Prior to joining Shape, he was Sr. Security Analyst at Palo Alto Networks where he led the monthly Threat Review Series and authored the Modern Malware Review. He has also led the product management team at AirMagnet where he helped to develop a variety of security and network analysis tools targeted to WiFi networks. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and end-users.